If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

unusual traffic on my AP

hello, I was wondering if you could help me understand what is happening.

Ive been using kismit for about 2 weeks now, to monitor traffic on my wireless network. last night, there was a change in the usual pattern of traffic.

Its difficult to explain (as Im new to this), but, as far as I can tell, there was traffic being transmitted from my AP, and when looking at my AP 'Network List Details' section of Kismit, I noticed that the AP is producing alot of 'LLC' packets, and I dont know what these are. there was some data packets (although not many, they probably total 10 kb in 1 hour).

so I continued monitoring while I went to sleep, and when I returned to the computer in the morning, the 'LLC packets' were still being produced, but the total traffic seen on the network was 100MB.

in the Kismit 'client list' for my network, I see the MAC code of my AP (00:1D:68:EB:5F:EE, printed on the label of the AP), but Im also seeing a similar MAC code (00:1D:68:EB:5F:EF). *EDIT, if I go into my AP config, it says 'Physical Address: 00:1D:68:EB:5F:EF'.*

Well Ive been trying to do a little research into this and LLC stands for Logical Link Control. These packets handle multiplexing and are standard over most data protocols. Basically these guys manage the link between your AP and a client so that multiple streams of data can be moved quickly and efficiently over a single connection.

So when data is created on your computer different programs and protocols and whatnot all stream out their data in different formats. When this data needs to go through a bottleneck such as a network cable or Wifi signal it needs to be combined and translated into a single stream of data that can be understood by other NICs. The LLC packets make sure that everyone is talking in the same language, that the rate of transmission isn't overwhelming the rate of reception, and that the data is being sent is complete and not corrupted by packet loss. Once everything makes it across the bottleneck it can be separated into its individual streams again and processed.

Now the LLCs come in two forms

(Type 1) "Unacknowledged connectionless-mode" This is sort of a broadcast mode where the data has no specific connection, it is simply packed into a readable format and sent out to who ever can intercept it. The LLC makes sure that anyone can read the data with the proper hardware/software

(Type 2) "Connected mode" This is where the data is packed up and sent to a specific connected client (usually encrypted) The LLC makes sure that the data goes to its specific location and not to other places where it shouldn't while still handling the multiplexing.

Please understand that I am a complete newb and that this is simply my understanding of how it works, if I am wrong about this I would love a correction.

Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

The Dupe IVs are what I'd be concerned with. Something young'ns like to do is fake a MAC that closely resembles an authorized MAC in an attempt to slip past an admins attention. What you are looking at here is most likely a probe/attack of some sort on your WPA. Although, rethinking my own statement, IVs aren't necessary in WPA attacks....

Okay, so I've come to the conclusion that I have no idea what is causing that traffic minus an 'evil-twin' attack which is, quite frankly, not likely.

"The goal of every man should be to continue living even after he can no longer draw breath." ~ShadowKill

For the simple reason that AP's have at least two MACs. There is a MAC for each physical Ethernet port. One is the MAC of the wireless side, and one is the MAC of the wired port. This is the way TCP/IP works done at Layer 2 (Data Link Layer) of the OSI model.

Both of these MACs are probably from your own AP.

The numbers are similar, because of the way MACs work. The first six digits are assigned to the manufacturer of the electronics. In this case we can do a quick check of the OUI list of the IEEE, and find that the device was manufactured by:

Keep in mind this may not be the maker of the AP, but is the maker of the actual internal electronic devices used in the AP that are used to transmit and receive Ethernet traffic.

The remaining 6 digits of the MAC are assigned by the manufacturer to the Ethernet ports in each device, and they tend to be sequential. In this case we have EB:5F:EF and EB:5F:EE which are in makes sense, as EF follows EE in logical order.

If you have a device with multiple ports such as an wireless router (e.g. WRT54g), then you have one for each port. In the case of a WRT54g, there would be 6 MACs. One each for the wireless, one for the WAN port, and four MACs for the four switch ports.

Revelati, thanks for that explaination of LLC packets. I tried googling it but didnt get much info. thanks also for the link to the OSI model wikipedia page too, Im going to sit down and read that tomorrow.

Thorn, thanks for your explaination on the 2 MAC codes. now it makes sense.

also, there is an ethernet cable running from the AP to a television & set-top box, so maybe those devices account for the (S) send-to MACS? I'll pull the plug on their power tomorrow and see.